An In-Depth Look into Final Red Flag Regulations

WASHINGTON, D.C. — As many in the industry are aware, the final red flag rules go into effect on Nov. 1 of next year. Are dealers and financial institutions prepared?

SubPrime Auto Finance News interviewed several experts this week to get an overview of what exactly the rules mean to dealers and financial institutions and how these companies can prepare for legal and regulatory challenges.

Commonly known as the red flag rules, the full name for the regulation is the Identity Theft Red Flags and Notices of Address Discrepancy.

The rules were developed in response to the findings of the President's Identity Theft Task Force, which found that identity fraud results in billions of dollars in losses each year to individuals and businesses.

Basically, the rules, which are applicable to both dealers and financial institutions, entail implementing an Identity Theft Prevention program. According to the Federal Trade Commission, this program must include "reasonable policies and procedures for detecting, preventing and mitigating identity theft."

The rules have been pending for some time, with the FTC and other government entities seeking public opinion as to how to best implement these new rules. In particular, the auto industry voiced various concerns over the rules and how they will relate to dealers.

In laymen's terms, the identity theft guidelines are similar to the rules that govern advertising. If sued or investigated, a dealer or financial institution must show they have processes in place to do their best to follow the rules. Even if a mistake occurs, experts indicate that a consistent plan for dealing with issues can help protect an entity against liability.

According to Jim Lawrence, a spokesperson for Compli, the rules have a big impact on how dealers do business.

"It requires dealerships to act as if they have the layers of bureaucracy that finance institutions have. It will touch every single franchise and independent dealership. It will force dealership personnel to take on law enforcement duties (discovery and assistance with prosecution) heretofore never required," he explained.

"Compliance will require that dealerships automate as much of their compliance activity as possible. It will test the skills of every dealership's leadership and management personnel. It will require nearly constant sales and F&I training for the Red Flags, especially with the processes associated with CRA notifications because of turnover," he continued.

And finally, he pointed out that, "Turnover costs will increase substantially because of all the training necessary for compliance. These are ‘soft' costs, not accounted for in dealers' P&L, but they are there and will get bigger."

Meanwhile, voicing another opinion, Mike Goodman, an attorney with the Washington, D.C., office of Hudson Cook, indicated, "I don't believe this new rule is overly burdensome. Identify theft harms both the injured consumer and affected business. Businesses are well-positioned to stop identity theft, and Congress and the regulators have drafted businesses in the effort to stop identity theft.

"I think a lot of businesses have already been doing a lot of what is required to comply with this new rule," he added. "One new step will be to formalize and document that effort. The public may still comment on the burden involved in compliance, but not on the substantive provisions of the new rules."

How it Works

The experts explained that the recently released rules from the FTC cover three topics:

—Steps a credit or debit card issuer must take in certain circumstances when a cardholder notifies the card issuer of an address change.

"Only the first two of these are relevant to dealers and finance companies," Goodman said. "It is important for these entities to recognize that both No. 1 and No. 2 are out there now.

"With respect to the red flags rule, in a nutshell the rule requires financial institutions and creditors to develop and implement an Identity Theft Prevention program," he continued. "The term ‘creditor' covers both dealers and finance companies. Dealers (even those who immediately assign all their paper to third-party finance companies) are covered because the rule applies to the opening of a covered account. Finance companies are covered because the rule applies to the maintaining of a covered account."

Basically, a ‘covered account' is an account that was created to permit multiple payments or transactions, Goodman noted. On the other hand, an ‘account' means a continuing relationship.

"A red flag is a pattern, practice or specific activity that indicates the possible existence of identity theft. These definitions are provided for background. The short answer here is that sales of vehicles financed through a retail installment sales contract are covered by this rule," he indicated.

An Identity Theft Prevention program must comprise several areas, Goodman highlighted. It must be set up to identify relevant red flags; detect red flags; respond to red flags to prevent or lessen the chance of identity theft; and periodically review the program to stay up-to-date on trends.

"The red flags rule is accompanied by guidelines intended to promote compliance. These guidelines address how to identify relevant red flags; where to look to learn about emerging red flags; typical scenarios where identity theft is especially likely to occur; how to detect the existence of red flags in the course of a covered entity's business; what steps to take to prevent or mitigate identity theft when a red flag is detected; and how to update the program to keep it current," Goodman said. He pointed out that the guidelines offer a list of 26 examples of red flags.

All the red flags are pertinent to both dealers and financial institutions, he commented. However, different flags apply to the different types of companies because financial institutions deal with maintaining accounts, while dealers open them.

"I do think dealers and finance companies can work together to avoid duplication of efforts in running their Identity Theft Prevention program," Goodman said.

Meanwhile, Lawrence said that franchise dealers will probably have to choose between eight to 15 red flags out of the 26 examples given, which were originally 31 when first proposed.

"The standard auto checks are functionally easy to implement and are relevant to most stores. This will encompass five red flags," he indicated. "Additionally, manual red flag checks such as credit alert on bureau, altered identification, physical appearance and picture all constitute individual flags that are also relevant to the scope of franchise dealers (or dealers already should be checking)."

As for detecting additional red flags, Lawrence said this is the "hard part."

"Additional red flags selected will depend on data gathered in the audit process that could be dealer-specific based on geography, trends, experiences, demographics and the like," he explained.

Furthermore, he noted that dealerships will need to do annual and on-going reporting regarding their program to an oversight committee that the federal government will introduce to address non-compliance issues.

FTC's Reaction to Industry Concerns

Goodman and Lawrence differ on whether the FTC really took auto industry concerns into account when creating the final rules.

Goodman said, "Overall, I would expect the industry to prefer the final rules and guidelines to what regulators proposed last year. The final rule adopts the requirement to train staff. It's a little strong to say that covered entities must continually monitor for new signs of identity theft. The standard is to monitor periodically, which must mean something less than continuous monitoring.

"Also, note that the annual internal reporting requirement covers overall effectiveness of the program, oversight of service providers, incidents of identity theft and the entity's response and material changes to the program," he continued.

"I'm not sure this is as overly burdensome as commentators had feared. Perhaps most importantly, the regulators clarified that the compliance obligation is not to apply all of the regulators' example red flags in every case," he said. "Rather, the regulators explained that covered entities will be judged on the overall effectiveness of their program, which must be appropriate to the entity's size and complexity and the nature and scope of the entity's business."

In response to industry concerns, the FTC also recognized that the compliance burden would be greater than it originally thought, the attorney pointed out.

"Regulators did soften their approach to business accounts in response to industry commentators. Coverage of business accounts is limited to situations in which there is a reasonably foreseeable risk to consumers or the safety and soundness of the entity from identity theft," Goodman mentioned.

On the other hand, Lawrence reported, "Generally speaking, the original concerns related to new business processes remain. The new processes require that dealership adopt and implement a clear set of policies and procedures that require new steps in the sale process, regimented training for the ever-turning-over sales personnel and that the findings be captured over time and the learning applied to enhance the original program in a positive recurring cycle.

"Bottom line, dealerships are ill-equipped to handle ongoing data gathering and analysis, as well as reporting the new and interesting ways the system is getting duped back to the correct authorities," he stressed.

He also noted that while dealers don't have to cover all 26 red flag examples offered by the government, they need to have a good excuse for not using them.

"How's that for opening up Pandora's box?" Lawrence asked.

Lawrence later conceded that, "There was some give to the rules themselves and the manner in which the dealer can apply them. The final rules summary adopts the proposed rule that although dealers are classified as a high-risk category, they still are offered the flexibility to write their program based on the above mentioned methods."

However, he noted, "In short, they have enough rope to hang themselves. If a few bad apples take advantage of this small loophole and do nothing, all dealers will pay the price of their non-compliance."

Implementation and Enforcement

The best way to comply with the new rules is to seek assistance from associations, look to an outside attorney and hire a compliance company to oversee the plan, both Goodman and Lawrence agreed.

Given Lawrence's affiliation with Compli, he touched on the assistance this type of organization can provide.

"They can go to a compliance services provider with the correct content and audit forms and necessary distribution and training platform," Lawrence said. "Note that Compli's complete turnkey red flags program will be ready for introduction to our clients by December or sooner."

Lawrence went on to note, "They can choose to build their own set of required content and a methodology for implementation and maintenance with assistance of their legal counsel."

He also returned to the issue presented by employee turnover, saying that it "will become a critical factor as the knowledge of that new methodology walks out the door every month. Capturing and reporting their experience as well as implementing new findings will require a new level of management effort not seen in your average dealership before, unless monitored and tracked closely by an interested third party like OEM, or certified pre-owned programs."

First Advantage Credco also launched a program called BuyerID last year, which is a suite of identity verification products.

The company ran a promotion over the summer, which offered BuyerID for free to dealerships throughout the nation. The idea behind the offering was to give dealers an idea of what the new rules will entail.

"The promotion is one of many ongoing investments we continue to make to ensure that our dealer customers are educated and properly prepared in our industry's continually challenging environment," said Eric Rumsey, president of First Advantage Credco.

"Now nearly 22 percent of the consumers visiting our dealer customers have a BuyerID product accessed at the same time the dealer accesses credit report information during the F&I process," he added.

As for Goodman's point of view, he said, "The regulators explained that they believe the red flags rules constitute an extension of what covered entities have already been doing to prevent identity theft. While in most cases, compliance with the rules will mean doing more than companies had been doing before, this change should be evolutionary rather than revolutionary. This won't be an entirely new set of procedures for many companies."

He went on to explain, "Preventing identity theft is part of the FTC's privacy effort, and that effort is one of the highest enforcement priorities for the FTC. I would expect the FTC to enforce this new rule as they have the Safeguards Rule. When there is evidence of identity theft, the first thing the FTC will say is, ‘Let me see your Identity Theft Prevention Program.'

"In my view, the FTC does not have a track record of ‘gotcha' enforcement. Compliance does not require perfection, and not every mistake is a law violation. However, companies must be able to show that they have made a reasonable effort to comply," Goodman stressed.

Turning back to the three rules the red flag rules cover, he touched on the third. "It requires users of consumer reports to take certain steps when they receive a notification of address discrepancy from a consumer reporting agency. Basically, this rule says that when a consumer reporting agency tells the user of a consumer report that the two parties have substantially different addresses for the some consumer name, the user of the consumer report must take reasonable steps to determine the consumer's identity.

"If the consumer report user regularly furnishes information to the consumer reporting agency, then the user must also furnish the consumer's address if the user has been able to reasonably confirm that information. This is another measure to prevent identity theft," Goodman highlighted.

Chiming back in, Lawrence also addressed the potential liability that dealers may face.

"The government won't have to enforce the rules, hungry lawyers are already kicking-off class actions and individual lawsuits related to these rules. I have been made aware of nearly 100 actions already," Lawrence said. "All they have to do is find a dealership out of compliance and they can go for a class action or settle individually. Either way, it's easy money for the sharks."

As for dealers who manage to avoid lawsuits, Lawrence said, "There will be breaks given, but only to those dealers who can prove that they have implemented a ‘good faith' effort at complying with the new red flag rules, as well as with everything else they have to deal with from a regulatory standpoint.

"Bottom line: Legal institutions will have to make examples of several dealers in each and every state in the union to make their point that ID theft is serious stuff. My bet is that smaller dealers will take the brunt of this eventual legal juggernaut," he added.

In conclusion, he said there's really nothing that can be done about the rules as they stand now. "Game over. Unless the National Auto Dealers Association's Political Action Committee can work with legislators to make amendments to the FACT and FCRA for the benefit of dealerships, which is a fat chance. What you see is what you'll get."